Host Name sets the name which this VPOP3 SMTP service displays in its welcome banner. If this is left blank, then VPOP3 uses the VPOP3 Host Name setting from the Misc Settings tab.

The Refuse SMTP Connections from setting is rarely needed and should usually be left blank but is here for historical purposes. If you put some text in this box, then VPOP3 will refuse SMTP connections from senders whose HELO/EHLO command contains the text specified here. Eg, if this is set to .myisp.com, then VPOP3 will refuse SMTP connections if the sender sends a command like HELO svr23.myisp.com.

The Disable DSN support option disables the SMTP DSN (Delivery Status Notifications) extension (RFC 3461) - note not 'DNS' (Domain Name Service). This extension specifies a more structured & manageable way of sending delivery status notifications to the message sender. Usually DSN support should be enabled (so this box should be left unchecked).

The Don't allow addresses with '%' in their address option prevents senders sending messages to recipients containing % characters in their email address.

According to the standards, the '%' character is allowed in the 'local part' of email addresses (the part before the @ symbol). However, it is rarely used in practice.

In the 'old' days, using the percent symbol in an email address had a common use (known as the 'percent hack') which quickly became abused when spam started being created. You used to be able to send a message to something like 'bill%microsoft.com@apple.com', and the message would be sent to Apple's mail servers who would strip the @apple.com, and replace the last % with a '@' symbol, and forward the message on. This could be used legitimately for reaching mail servers which may not have very good Internet connectivity, as you could specify a route.

Note that VPOP3 will not interpret the % symbol this way, but spammers will still try to use this trick, so, unless you specifically want to allow % characters in email addresses, turning it off will submit VPOP3 to less load from spammers trying it on. Also, some security scanning software may throw an alert if it sees that VPOP3 accepts the % symbol, even though it's actually perfectly safe.

The Don't allow addresses with '!' in their address option prevents senders sending messages to recipients containing ! characters in their email address.

According to the standards, the '!' character is allowed in the 'local part' of email addresses (the part before the @ symbol). However, it is rarely used in practice.

Some Linux servers used to use the '!' ('bang' character) as an indication to run a command with the received email. So, sending a message to '!bin/bash+rm+-rf+/@yourcompany.com' might make your mail server delete itself…

For obvious reasons this is not widely implemented today, and VPOP3 certainly doesn't interpret the ! symbol this way, but hackers can still try to use it, so turning off VPOP3's support for '!' symbols in email addresses just makes VPOP3 look safer.

The Add Date: header field to locally sent messages if it doesn't exist option tells VPOP3 to add a 'Date:' header field to locally sent messages if it doesn't already exist.

The Date: header field is one of the few mandatory header fields, so all email sending software should automatically add it, but occasionally you may encounter some bespoke email software which doesn't add the header correctly, so you can turn this option on to make VPOP3 add one in that case. If all sending software is correctly implemented, then this option will do nothing.

The Add original recipients to custom header if message delivered to local mailbox option tells VPOP3 to add custom headers listing recipients if a message is delivered to a local mailbox.

When a message is received using SMTP, then the recipients are specified using an SMTP Envelope which contains the addresses of the sender and recipients. When a mail server, such as VPOP3, delivers the message into a user's mailbox the envelope is discarded as it is of no further use.

In some cases, the mailbox may be accessed by some other software (such as another instance of VPOP3) for delivery to another site with further sorting based on message headers. In this case, BCCd messages can be misdelivered, because the envelope information has been discarded, and the message headers do not contain details of the BCC recipients.

Turning this option on will make VPOP3 add the SMTP envelope data as new lines in the message headers beginning with X-VPOP3-ORIGRCPT. These can then be used by the onward mail sorting software to see who the message recipients were. The downside is that there may be privacy implications as BCCd recipients are now listed in the message headers.

The VPOP3 SMTP service will usually reject unknown local recipients with an error message back to the sender. In most cases this is sufficient as it means that the sender is notified, and the message will not generate error messages later.

However, in some cases, administrators may be interested in this, so you can turn this option on to make VPOP3 log the failed recipients into a badsmtprecipients.log log file, and you can use the View Log button to view the log file.

The Maximum line length option lets you tell VPOP3 the maximum length of a line to allow using SMTP. The SMTP standard says that incoming lines should be no longer than 1000 characters including the trailing CR/LF character pair. So, if you set this option to 998 (1000-2) then VPOP3 will be strictly SMTP compliant. If you leave it at the default 0, then VPOP3 will not limit line lengths at all. VPOP3 is totally safe to have longer line lengths than 1000 characters, but some security testing software will mistakenly assume that if the server doesn't check the line length then there is the risk of a 'buffer overflow vulnerability'. This is incorrect in the case of VPOP3, but this setting allows you to tell VPOP3 to restrict line lengths so that the security testing software will be satisfied.

The Maximum failed login attempts option lets you specify how many failed attempts to log in are allowed before VPOP3 will drop the connection so the sender will have to reconnect to try again. This allows persistent attackers to be rejected and blocked by VPOP3. The security checking part of VPOP3 only checks for this at the start of a connection, so if this is set too high then an attacker will be able to make many attempts before being blocked.

The Block outgoing messages if over X messages in the Outqueue option tells VPOP3 that if this many messages are waiting to be sent out from VPOP3, it will prevent users from sending any more messages. This lets you set protection against outgoing spam attacks due to misconfiguration or discovered passwords. If you set this to a number higher than you would normally expect to see in the VPOP3 Outqueue then it will allow normal sending operation, but the damage from any outgoing spam attack will be reduced because VPOP3 will prevent many thousands of outgoing messages from being sent.

The Block outgoing messages if over X messages in the Outqueue from this user option is the same as above, but only checks messages from the same authenticated user. This option will not check unauthenticated outgoing messages.

Minger

Minger (Mail pINGER) is a draft Internet protocol used between mail servers to allow authenticated verification of email addresses. This can be useful if one server is forwarding mail onto another server; it can use Minger to check the recipient email address is valid automatically without having to have a complete list of valid addresses maintained on the second server.

As this protocol is authenticated, it can be left safely running, and it will not leak information, or cause any noticeable server load, even if it is not in use. However, you can turn it off if you wish if it is not being used.

The Minger Secret is a 'password' which is shared between the Minger client and the Minger Server.

Remember recipients for Webmail

VPOP3 will autocomplete recipients when messages are being sent from Webmail. Usually it will only remember (and thus autocomplete) recipients sent to from within Webmail.

If SMTP server should collect email addresses for authenticated users is checked, then VPOP3 will also remember recipient email addresses when users send from a normal email client as well as from Webmail.

The Only collect email addresses for users who have Webmail permission option tells VPOP3 to only remember email addresses if the user has permission to use Webmail. This isn't vital, but it can help to reduce the space needed for VPOP3 to store the remembered addresses that will never be used.

The Only collect addresses if user has logged into Webmail within last X days option tells VPOP3 to only remember email addresses if the user has used Webmail within the specified number of days. This isn't vital, but it can help to reduce the space needed for VPOP3 to store the remembered addresses that are unlikely to be used.